How to Automate Security Policy Enforcement

Securing your systems is never a set-it-and-forget-it project. Configuration settings get changed either intentionally or inadvertantly, and that affects your security posture. That's why cybersecurity is more of a lifestyle than a one-time event. But constantly checking your security configuration to make sure it's consistent with your security policy can be resource-intensive. In the video below, Robin Tatam explains how automating your security policy management improves system security without adding hours of extra work.

I want to talk today about a lot of data centers experience when it comes to maintaining good security practices. If anybody's been around me for the last, I don't know, 15 years, you've heard me preach about the fact that we have to get our systems secure. But, what happens afterwards? Well, one of the challenges of the course is keeping your system in that state.

So, we want to use automation to make it so the server can actually do the heavy lifting for us. We don't want to have a full-time job of checking system settings. So, we have an environment called Powertech Policy Manager for IBM i (formerly Policy Minder) that allows for the definition of a security policy and then the system can self-verify, even potentially in some instances self-correct if it finds some issues.

So how does this work? Well, within the software we have the ability to define a security policy and there a number of different categories we can define, ranging from profiles of course to file shares, even object level security settings, with object ownership, authorization lists, and public and private authorities.

These are things that are typically set and never checked again, so you don't find any discrepancies. Within the policy, we can set all of these types of items and a number of additional ones. And once the policy is defined, we have the ability to assess the policy using automated tools, and then resolve those issues that are discovered. And that could be an automated resolution or it could be a manual resolution, if you prefer to take action yourself.

Now this gives us the ability to achieve three things:

One, a more comprehensive audit of the environment. If you're going to do this type of checking manually, reality states that you're either not going to do it very often, you're certainly not going to do it very deeply. So we want to have a very comprehensive audit.

We want to be able to do it quickly. Granted, a manual check typically happens once a quarter, maybe once a year right before the auditor comes in. But we actually want to make that the system is being audited and validated on an ongoing basis.That's why the auditor is there, they're not there to check your system. They're there to make sure that you're checking your system. So, we need this thing to be fast, so that we ca do it frequently.

And we need it to be automated. I don't know about you, but I don't want a full-time job printing spool files, looking at object authorities. I want the system to do that work for me.

So, with Policy Manager, we can automate this entire function, we can now do exception reporting instead of just simply generating tons of spool files or reports, and we can allow the system potentially to resolve those issues that it finds itself.

If you're interested in learning more about Policy Manager, check us out online or give us a call. We'll be happy to give you a demo. Thanks for coming, we'll see you again soon.